WordPress is the most popular CMS in the world and is increasingly being used by enterprise-level organisations as part of their digital estate. 66% of Enterprise companies have WordPress somewhere in their stack. The use of multiple-CMS is increasing among Enterprise organisations.
WordPress out-of-the-box should not be considered as an enterprise-ready solution – like any software, it is not without issues – but correctly implemented, WordPress can provide a secure and robust platform to build flexible, modern websites.
Security at its Core
As the most popular CMS in the world, WordPress is under constant attack from potential hackers and scrutiny from security experts. – the core of WordPress maintains a high level of security. If WordPress is kept up-to-date (as you always should) – it has a strong security record.
Proactive, Automated Security
Since 2013, WordPress has automatically updated all WordPress sites with security fixes and patches. As soon as issues are reported, they can be patched and rolled out by the 50-strong Core Security Team without requiring any actions from individual websites. Major releases are still managed at site level – and are opt-in – this is often where vulnerabilities can creep in if sites are not kept up-to-date. 49% of security issues found by Sucuri last year were caused by websites running out-of-date versions of WordPress.
Since WordPress 5.5 (August 2020), plugins can also be automatically updated.
Insecurities Caused by Poor Maintenance
WordPress can become vulnerable over time if key areas are neglected:
- The core software is not kept up-to-date
- Dependencies (mostly commonly Plugins) are not carefully selected and maintained
- Coding Standards are not maintained and poor code creeps into the code base
This would be true of all software over time and WordPress is not immune.
PHP as a language has evolved and developed over time. As of November 2022, PHP 7.4 has reached its end of life.
Concerningly, Sucuri found over 50% of WordPress sites are still using PHP 5.x – such negligence to keep servers updated skews the figures and makes PHP appear more vulnerable to attack (exactly the same issue as running a deprecated version of WordPress). Modern PHP is secure and actively improves security and performance with each release.
WordPress has a vibrant community with more than 70,000 plugins available. However, all these plugins are not of equal quality and many should never be considered for use in commercial websites. Without due diligence, bad plugin select can lead to serious security issues.
3rd party plugins widen the surface area for attack and so should be carefully selected from a curated list of trusted sources.
With plugins, ‘less is more’ is normally a good principle.
Using Good Development Principles
Good implementations of WordPress sticks as close to the Core as possible – like using the core block editor rather than a page builder – whilst adhering to principles of scalability and coding standards.
For example – the Theme within WordPress should contain little more than the display logic – the V of MVC. The functional logic should reside within custom plugins – including the UI Components.
Additional plugins should be carefully selected – successful and secure WordPress requires selecting plugins from a small number of trusted, well-maintained sources and creating custom solutions for the rest.
Other good security measures can be taken – for example, strong passwords can be enforced (something which happens automatically on some managed hosting platforms like WPEngine) and vulnerable system files can be moved above the `public_html` folder (for example the `wp_config.php` file).
Role permissions can be easily restricted to ensure updates are correctly run through version control (see CI/CD).
A service like Sucuri can be added to WordPress sites to harden against attack.
WordPress Code Structure
WordPress is 20 years old and has maintained backwards compatibility throughout most of its life-cycle. The core of WordPress has evolved over the years and does not adhere to a modern design pattern (much to the chagrin of some software engineers). But the functional programming approach is not reflected in modern plugins. Most quality plugins adhere to Object Oriented Programming principles and carefully encapsulate access to different class methods – security by design.
WordPress avoids significant branch changes and maintains backwards compatibility. This enables stable development and avoids rapid sunsetting of legacy websites.
Modern CI/CD Enforcing Coding Standards
A modern WordPress Continuous Integration and Continuous Deployment (CI/CD) approach, enables high levels of control over code quality and standards.
Enterprise-level WordPress should implement automated CI/CD – enforcing coding standards. A task runner (usually WebPack) can automatically run checks against every Engineers code to ensure high quality output. The code sniffer enforces PHP, JS and CSS (via SASS) standards and can provide automatic linting and browser compatibility.
Upon pre-commit git hooks, the CI/CD can include the code sniffer (PHPCS), bad code flag (PHP Mess Detector) and potential security issues (PHP Copy & Paste Detector). We can also run visual regression tests (Backstop), performance (Lighthouse) and Unit Tests (PHPUnit).
Modern WordPress development adheres fairly closely to the standard Git Flow – developers work on feature branches and PR into the Develop branch. Code Reviews check the submitted code and, if accepted, the code is pushed to the Development environment for QC and Acceptance Testing. Upon successful test completion, a PR is made from Develop to Master and the code is deployed to Production – triggering Regression tests.
Like any web platform, WordPress is dependent upon a good caching strategy to deliver good performance.
Caching strategies are rarely straightforward – but a clear caching strategy for WordPress has become well-established:
- Object Cache
- Proxy – Cloudfront/Cloudflare
- Full cached content to non-logged in users
- AJAX (or Fetch API) for non-cached values
WordPress can create `transients` – temporary object cache storages – to by-pass heavy loads on the database.
WordPress is a single-thread software which means horizontal scalability is critical for high performing websites.
Modern WordPress Stack
WordPress has a number of weak spots which can be addressed in a modern WordPress stack:
- The cron tasks can be inefficient
- The core search is inadequate for larger sites
- The media library can become unmanageable & bloated at scale
- User management does not scale well
- The templating engine can be inflexible
Each of these issues and bottlenecks can be address with enterprise-level WordPress:
- Cron jobs can be off-loaded to the server (or an external server)
- A tool like ElasticSearch or Algolia can replace the default search tool
- The media library can be off-loaded to an S3 Bucket or a DAM service like Cloudinary.
- We can off-load user management to an IDAM.
- The core REST API and mature support for GraphQL means WordPress is increasingly being used as a headless data service for React frontends. (The Core WordPress block editor now uses server side React)
These modern approaches enable WordPress to retain its strengths – ease of use and speed-to-market – whilst providing a more robust, scalable base.